1. Field of the Invention
The present invention relates to an information processing system that supports single sign-on, a control method for controlling the information processing system, and a storage medium.
2. Description of the Related Art
Conventionally, as a technology for authentication cooperation among a plurality of services, there is a single sign-on (hereinafter referred to as SSO) mechanism based on security assertion markup language (hereinafter referred to as SAML).
In SAML-based SSO, the user has an ID both for the authentication service providing side (identity provider, hereinafter referred to as IdP) and for the service providing side (service provider, hereinafter referred to as SP) that provides services relying on the authentication result of the authentication service. For example, when the user accesses the IdP first, the user must be authenticated by the IdP. Therefore, the user is authenticated by the IdP using the user's IdP ID and password.
The IdP can issue a SAML assertion to the authenticated user to prove that the user is authenticated. When the user uses this SAML assertion to access the SP, the SP authenticates the access relying on the authentication result of the IdP. In this case, once authenticated by the IdP, the user who accesses the SP can be authenticated by the SP using the SAML assertion described above without using the user's SP ID and password.
SSO is implemented as described above. When accessing the SP via SSO, the user does not pass the user's SP ID to the SP as described above. Therefore, the correspondence relationship between an IdP ID authenticated by the IdP and an SP ID used for accessing the SP, is to be solved.
In the description below, the correspondence relationship between an IdP ID and an SP ID is called as single sign-on mapping (hereinafter referred to as SSO mapping). To implement SSO, an appropriate SSO mapping must be set to solve the ID correspondence relationship.
Conventionally, Japanese Patent Application Laid-Open No. 2004-234329 discusses a system in which an SSO mapping server is used. This SSO mapping server creates an SP ID in advance and saves the created SP ID without assigning it to the user. When the user passes the ID and password to the IdP and the authentication is successful, the SSO mapping server assigns the SP account newly to the user. This system implements SSO mapping when the IdP confirms user validity.